Splunk Search
Highlighted

Help With Extractions Involving Microsoft AV Hashes

Path Finder

Inconsistency with file names coming from Microsoft AV hashes is causing alerts to populate null results when firing off after a file has been quarantined.

Currently, we are matching the hashes based on a lookup that is generated by a saved search. We are having problems with our regex expression because the file names within the WinEvent Log message are not consistent. We are trying to extract the file name. Most of the time, our regex is successful in pulling out the file name for the field. However, there are times when the file name is not extracted properly due to the format of the log being different (returning values that append (GZIP) or other characters). The main problem is that we are seeing it showing the entire zip location and not just the actual file itself.

Any suggestions to this would be awesome. The query being used to look at these events and extraction, then outputting to a lookup is:

This report runs every 5 minutes and scans for new files and hashes.

index=wineventlog (sourcetype="WinEventLog:System" OR sourcetype="WinEventLog:Microsoft-Windows-Windows Defender/Operational") EventCode=1120 (SourceName="Microsoft Antimalware" OR SourceName="Microsoft-Windows-Windows Defender") earliest=-5m@m latest=@m
| rex field=Threatresourcepath "(?[^\\]
$)"
| stats count BY file_name ComputerName Hashes
| fields - count
| inputlookup append=t .csv
| dedup ComputerName Hashes
| outputlookup .csv

Example of a log that has trouble with extraction:

02/20/2020 02:20:44 AM
LogName=Microsoft-Windows-Windows Defender/Operational
SourceName=Microsoft-Windows-Windows Defender
EventCode=1120
EventType=4
Type=Information
ComputerName=
User=NOTTRANSLATED
Sid=
SidType=0
TaskCategory=None
OpCode=Info
RecordNumber=33310
Keywords=None
Message=Windows Defender Antivirus has deduced the hashes for a threat resource.
Current Platform Version: 4.18.1911.3
Threat resource path: C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f
019fa8->(GZip)
Hashes: SHA1:5b803dc7f6c6ahashgoesheree0efadfbf6c5ba834;

The filename extraction wants to pull the entire f019fa8->(GZip) as opposed to just f_019fa8. 😞

Tags (2)
0 Karma
Highlighted

Re: Help With Extractions Involving Microsoft AV Hashes

Builder

Knowing that the greater than (>) symbol is illegal in Windows filenames, you could modify you regex thusly:

| rex field=Threat_resource_path "(?<fname>[\w\:\.\\\-\s]+)\>?"

Then you merely need to pull the final hyphen )-), if there is one:

| eval fname=rtrim(fname,"-")

There's probably an even snazzier way to do this with just a regex - but this works

Highlighted

Re: Help With Extractions Involving Microsoft AV Hashes

Path Finder

Thank you! Along with the regex, the rtrim idea does what is needed!

Highlighted

Re: Help With Extractions Involving Microsoft AV Hashes

SplunkTrust
SplunkTrust

Try | rex field=Threat_resource_path "(?<file_name>[^\\]+)[-$]"

---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: Help With Extractions Involving Microsoft AV Hashes

Path Finder

Thank you Rich. This extraction worked 🙂

0 Karma
Highlighted

Re: Help With Extractions Involving Microsoft AV Hashes

Ultra Champion
| makeresults
| eval Threat_resource_path="C:\Users\usergoeshere\AppData\Local\Google\Chrome\User Data\Default\Cache\f_019fa8->(GZip)"
| rex field=Threat_resource_path "^.*\\\(?<fname>\w+)"

There are various regular expressions.

View solution in original post